[asterisk-bugs] [JIRA] (ASTERISK-24575) [patch]Make capath work for res_pjsip
Mark Michelson (JIRA)
noreply at issues.asterisk.org
Thu Dec 4 16:27:29 CST 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-24575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223889#comment-223889 ]
Mark Michelson commented on ASTERISK-24575:
-------------------------------------------
I had a look at the Asterisk code review on reviewboard. Aside from what opticron mentioned about alembic scripts, it looks good to me.
The PJSIP code has potential problems though:
{code}
- PJ_ASSERT_RETURN(pool && CA_file && cert_file && privkey_file, PJ_EINVAL);
+ PJ_ASSERT_RETURN(pool && CA_file && CA_path && cert_file && privkey_file, PJ_EINVAL);
{code}
>From what I understand about CA_file and CA_path, only one needs to be provided. This code will assert if one of CA_file or CA_path is NULL. From Asterisk, this won't ever happen, since AST_STRING_FIELDs can never be NULL. But if this is being added and to be used by other projects, this would need to be altered to allow for one of CA_file or CA_path to be NULL. Similarly, the subsequent {{pj_strdup_with_null()}} calls for CA_file and CA_path in this function would need to be made NULL-tolerant.
Also, I don't know how OpenSSL handles calls to SSL_CTX_load_verify_locations() when it is given empty strings for the CAfile or CApath parameters. https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html mentions what happens when NULL parameters are passed in, but it doesn't mention what happens when an empty string is passed in. If behavior is the same as for a NULL pointer, that's fine, but I just want to make sure we're not setting up a situation where we cause breakage because we end up passing an empty string instead of a NULL pointer into the function.
> [patch]Make capath work for res_pjsip
> -------------------------------------
>
> Key: ASTERISK-24575
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24575
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: pjproject/pjsip, Resources/res_pjsip
> Affects Versions: SVN, 12.7.1, 13.0.1
> Reporter: cloos
> Attachments: pj-ca-path-12.diff, pj-ca-path-trunk.diff, pjproject-ca-path.diff
>
>
> Every component which does tls supports capaths in addition to cafiles, except pjsip.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list